Last week the SEC’s Division of Corporation Finance released compliance and disclosure interpretations (C&DIs) pertaining to the latest cybersecurity disclosure requirements. The C&DIs provide guidance on when public companies can postpone Form 8-K cyber incident disclosures for reasons related to national security or public policy.
Starting December 18, 2023, companies encountering a material cyber incident must disclose under Item 1.05(a) of Form 8-K, to the extent known at the time of filing, the material aspects of the nature, scope, and timing of the incident, and the incident’s material impact or reasonably likely material impact on them, including their financial condition and results of operations. Importantly, smaller reporting companies will be required to comply with Item 1.05(a) of Form 8-K starting on June 15, 2024.
Companies that experience a material cyber incident, however, may delay filing of an Item 1.05(a) Form 8-K if the U.S. Attorney General determines that immediate disclosure would pose either a substantial risk to national security or public safety and notifies the SEC of the determination in writing, which delay may be extended if the Attorney General determines such disclosure continues to pose a substantial risk to national security or public safety. If the Attorney General indicates that further delay is necessary, the SEC will consider additional requests for delay on a case-by-case basis.
Below is a summary of the C&DIs, along with links to the comprehensive text of each C&DI.
Initial Extension Requests: Question 104B.01 provides that merely requesting a delay to disclose a material cyber incident (based on national security or public safety grounds) does not relieve a company from its obligation to file an Item 1.05(a) on Form 8-K within four business days of its determination that the cyber incident was material. That is, if the Attorney General does not confirm that a disclosure of the cyber incident poses either a substantial risk to national security or public safety before the filing of an Item 1.05(a) on Form 8-K is due, the company is still required to make such a disclosure within four business days of its determination that the cyber incident was material.
Subsequent Extension Requests: Question 104B.02 provides that if a company seeks to extend a previously granted delay period and the Attorney General either rejects or does not respond before the end of the delay period, the company is required to disclose the cyber incident in an Item 1.05(a) of Form 8-K within four business days of the end of the previously granted delay period.
Shortened Delay Periods: Question 104B.03 provides that if the Attorney General, during a granted 30-day delay, concludes that disclosure of a cyber incident no longer poses a substantial risk to national security or public safety, the company is required to file Item 1.05(a) on Form 8-K within four business days of the Attorney General’s notification of its determination.
Engaging Law Enforcement: Question 104B.04 provides that merely consulting the Attorney General regarding the availability of a delay under Item 1.05(c) of Form 8-K (for national security or public safety grounds) does not automatically deem a cyber incident as material, and in turn triggering the disclosure requirements of Item 1.05(a) of Form 8-K.
Additionally, the FBI issued guidance outlining the application process for seeking a delay of required disclosures of material cyber incidents. Following the issuance of the FBI guidance, the DOJ released its own guidelines explaining the process of reviewing and adjudicating delay requests by the Attorney General for cyber incidents that pose a substantial risk to national security and public safety.
* * * *
As always, we and our colleagues are available at any time to discuss these or other matters.